Deral Heiland

R7-2014-01, R7-2014-02, R7-2014-03 Disclosures: Exposure of Critical Information Via SNMP Public Community String

Blog Post created by Deral Heiland Employee on May 16, 2014

Summary of Vulnerabilities

 

This report details three critical information disclosure vulnerabilities. The vulnerabilities were discovered while Matthew Kienow and I (Deral Heiland) were researching information disclosure issues in SNMP on embedded appliances for a talk at CarolinaCon. During this research project, most devices exposed information that would be classified as benign or public. That said, in three cases we discovered devices that allowed the extraction of authentication data via the read only community string of public. In two cases this was the default behavior. Regarding the impact of these vulnerabilities, casual investigation of public information revealed a large number of the affected devices are exposing SNMP to the public Internet. This data is available from the Shodan search engine.

 

While it can certainly be argued that information disclosure vulnerabilities are simple to resolve and largely the result of poor system configuration and deployment practices, the fact remains that these issues can be exploited to gain access to sensitive information. In practice, the low-hanging fruit are often picked first. And with that, we have three new disclosures to discuss.

The first involves a Brocade load balancer (you might have one of these in your rack). The second and third involve some consumer-grade modems from Ambit (now Ubee) and Netopia (now Motorola). For the modem/routers, you might have one of these at a remote office, warehouse, guest wi-fi network, water treatment plant, etc. They are quite common in office and industrial environments where IT doesn't have a strong presence. Shodan identifies 229,409 Ambit devices exposed to the internet, and 224,544 of the Netopia devices. Of theres, 187,000 appear to be in the United States.

Moreover, the tested modems are currently end-of-life, which means that the chances of firmware updates to address these insecure defaults are quite unlikely to be released. Of course, just because something is end-of-life doesn't mean it disappears from the Internet -- causal Shodan browsing attests to that. Further, we cannot know if these configurations persist in current, supported offerings from the vendors, but you might want to check yours when you get a chance to download Metasploit.

 

Disclosure Timeline: R7-2014-01 Brocade Load Balancer

 

Date

Description

Feb 05, 2014

Initial disclosure to the vendor (Brocade)

Feb 20, 2014

Disclosure to CERT/CC

Feb 27, 2014

CERT/CC acknowledges receipt (VU#139516)

May 16, 2014

Metasploit module published in Pull Request 3365

 

Technical Analysis

adx_1000.jpg

 

The Brocade ServerIron ADX 1016-2-PREM, TrafficWork Version 12.5.00T403 application load balancer stores username and passwords hashes within the SNMP MIB tables at the following OID Indexes:

 

  • Username:            1.3.6.1.4.1.1991.1.1.2.9.2.1.1        
  • Password hash:    1.3.6.1.4.1.1991.1.1.2.9.2.1.2

 

The Brocade ServerIron load balancer has SNMP enabled by default. The community string “public" is configured by default. Unless SNMP is disabled, or the public community string is changed, an attacker can easily extract the passwords hashes for an offline brute force attack.

 

Disclosure Timeline: R7-2014-02 Ubee/Ambit

 

Date

Description

Feb 07, 2014

Initial disclosure to the vendor (Ubee)

Feb 10, 2014

Phone conference call with Ubee to discuss findings
Mar 26, 2014

Disclosed to CERT/CC

May 15, 2014Metasploit module published in Pull Request 3365


Technical Analysis

DDW3611.png

 

The Ambit U10C019 and Ubee DDW3611 series of cable modems store the following information within the SNMP MIB tables at the following OID Indexes:

 

U10c019

Username:             1.3.6.1.4.1.4684.2.17.1.2.1.1.97.100.109.105.110

Password:              1.3.6.1.4.1.4684.2.17.1.1.1.2.97.100.109.105.110

WEP Keys Index:   1.3.6.1.4.1.4684.2.14.2.5.1.2

WPA PSK:             1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.6

SSID:                     1.3.6.1.4.1.4684.2.14.1.2.0

 

DDW3611

Username:            1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0

Password:            1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0

WEP Key Index:   1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12

WPA PSK:           1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12

SSID:                  1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.3.12

 

By default, SNMP is not enabled on these devices. Although currently a number of cable providers that utilize Ubee devices enable SNMP with the community string of "public" on the uplink side of the cable modem for remote management purposes. Making in possible in those cases to enumerate this data over the Internet.

 

 

Disclosure Timeline: R7-2014-03 Motorola/Netopia

Date

Description

Feb 07, 2014

Initial disclosure to the vendor (Motorola)

Mar 26, 2014

Disclosure to CERT/CC

Apr 7, 2014

CERT/CC acknowledges receipt (VU#779628)

May 16, 2014Metasploit module published in Pull Request 3365

Technical Analysis

netopia_3347.png

 

The Netopia 3347 series of DSL modems store the following information within the SNMP MIB tables at the following OID Indexes:

 

  • WEP Keys Index:  1.3.6.1.4.1.304.1.3.1.26.1.15.1.3
  • WPA PSK:             1.3.6.1.4.1.304.1.3.1.26.1.9.1.5.1
  • SSID:                     1.3.6.1.4.1.304.1.3.1.26.1.9.1.2.1

 

SNMP is enabled by default with the community string of “public” on the internal interface of this product. The DSL side is not enabled by default, but currently a number of DSL providers that still utilize the Netopia 3347 series devices enable SNMP with community string of public on the uplink side of the DSL for remote management purposes. Making in possible in those cases to enumerate this data over the Internet.

 

Exploitation

 

Metasploit auxiliary modules have been developed for extraction of data from these devices via SNMP. The screenshot below shows the use of the brocade_enumhash module.

 

brocade-metasploit.png

Figure 1: Metasploit brocade_enumhash Module

 

If you are curious about your own infrastructure, and would like to use these scanner modules to assess your risk exposure, you're invited get your free Metasploit download now or update your existing installation. Feel free to comment below if you have any other questions or concerns.

 

 

I would also like to give recognition to good friend Brenden Morgenthaler. Brenden found a password exposure issue via SNMP in his home cable modem (not one listed in this advisory) in 2012. This piece of information, which he shared with me, led me to further investigate other cable/DSL modem devices as part this SNMP information exposure research project.

Outcomes